Monday, November 30, 2009

Campus - and Personal - Security for the Holidays

I recommend you take a look at Linda McGlasson's post 'Tis the Season for Thieving. There is some good advice for all, both for your campus security (check out the warnings on fake bank transfers) and your and your staff's personal security (phishing, fake charity websites, etc.).

Some specific scams Linda offers highlights includes:
Holiday e-cards (loaded with nasty attachments)
Fake "new friend" emails
Unsecured public terminals (do you really want to use a password at that kiosk!?!)
Fake holiday websites (Santa really, really would not go there)

May we all have a safe and secure holiday season...but somehow I sort of doubt it.

Friday, November 20, 2009

Your School Needs Another Domain

I saw this post at the ha.ckers.org site describing how a particular domain name - com.com - was up for sale. While that might be in itself interesting to you or not, one part of that post caught my attention:
In fact, one of C|NET’s (the company that currently runs com.com) network admins was listed as the 10th most dangerous and least likely person on the Internet during my presentation at OWASP. Why? Because of typo traffic. A friend of mine used to run csuchico.com instead of csuchico.edu and used to get tons of sensitive information about the local college, including building plans, love letters, medical information, bills, and on and on… And that was just one .edu domain. Now imagine the typo traffic for all of .com!
I remember when I was with a small company, we had not only our .com address, but we also got the .net, .org, .edu, and every other "dot" domain we could. Why? For the same reason as CSU Chico should have: people make typos and send all kinds of stuff to the wrong domain. And that's just the innocent mistakes. You certainly don't want a bad guy spoofing your site using the same name but different domain.

Moral of the story. I'm sure most of you have already done this, but if you haven't go out and spend a few bucks and get all the domains for your school's name and not just the .edu. It won't cost much and it may help you sleep better. And if you find someone is already camping on the domain, well I guess maybe that tells you something, too...and you should not like it.

Tuesday, November 17, 2009

PCI Update in NACUBO's Business Officer

The November issue of NACUBO's Business Officer is out with a report from Tom Davis and me on the PCI Community Meeting. You can see it here once its online. Golly, we even got featured on the cover, and they included our pictures at the end. FYI, Tom's the better looking one; I'm the one with (some) hair.

I blogged about the Community Meeting before (particularly here and here), but the Business Officer article gave us a chance to go into more detail and report in more organized fashion. I was also pleased that NACUBO included a link to the blog as well as our respective email addresses.

What's the point? The editors got it right away, and they highlighed it in box: PCI is being revised next year, and it is effective October 2010. That means you want to take advantage of the NACUBO-Treasury Institute partnership to stay informed and monitor developments. They will doubtless impact your campus and your job. Thanks to Matt Hamill and Carole Schweitzer at NACUBO for helping spread the word through the Business Officer.

Monday, November 16, 2009

Is Your Campus Hotel Targeted?

If you have a hotel on your campus, you should have a look at Visa's Alert on Targeted Hospitality Industry Vulnerabilities. I've blogged about campus hotel PCI issues before (see here and here), but this release highlights two particular attack vectors that should get your attention.

In one case, hackers in which they install debugging software on POS systems to extract full magnetic stripe data from volatile terminal memory. As Visa explains, this method of data
extraction from memory is of particular concern since unencrypted data is commonly written to volatile memory during the transaction process. Best of all, hackers may utilize tools to execute the program remotely.

Another attack is when which hackers with full access to the system enable debug mode on payment applications to obtain full magnetic stripe data from the system. For this type of attack, debugging software is not necessary since the payment application has the option to enable debug mode for troubleshooting purposes. A solution is to ensure you set administrative and all privileges properly.

Hotels are a particularly challenging PCI environment. They also are, apparently, targeted. Don't wait to be a victim. Act now to ensure you and your institution are protected.

Visa Issues FAQ on its Payment Application Mandates

Visa just released a FAQ on its payment application mandates. Visa issued the mandates with two objectives in mind:
  • To eliminate the use of payment applications that are known to be vulnerable to attack or that store prohibited data like the security codes or PINs; and
  • To require merchants who use third party payment applications to use only PA-DSS applications.
Note that if you use an internally-developed payment application (does anybody still do that!?!), the second part of this mandate doesn't apply to you. But if like most of the Higher Ed world you use third-party apps that store, process, or transmit payment card data, then those apps have to be PA-DSS compliant. And the only way you can tell is to go to the list on the PCI Council's website and check to see if your app is listed. While you're there, be sure to check the version and expiry date, too.

I'm sometimes asked if using a PA-DSS application makes a school PCI compliant. The answer is a firm NO, but it can help if you do it right. First, your PA-DSS app has to be installed according to the vendor's Implementation Guide (you asked to see a copy before you signed up, right...we could have a major discussion on that one), and you installed the app in a PCI compliant environment. Then the best you can say is that the PA-DSS app won't be the cause of your being non-compliant. In other words, PA-DSS apps can simplify your compliance effort considerably, but they are not a panacea.

This FAQ is intended for you. There is nothing particularly new, but it is a good reminder of some important upcoming dates you need to be aware of. This is just one of the topics we'll be discussing at the upcoming Treasury Institute PCI Workshop in Long Beach this January. I hope you will be able to join me there.

Friday, November 13, 2009

OWASP Top Ten for 2010 Released

Late today (Friday) a preliminary update to the OWASP 10 for 2010 was released (click here). As most of you know, PCI compliance requires (among a bunch of other things...) that all custom code be reviewed so as not to be vulnerable to these exploits.

There are some changes in ranking. A couple of new candidates are on this preliminary list:
  • Security misconfiguration (in the #6 slot) had appeared in the 2004 list, but was dropped in 2007; and
  • Unvalidated redirects and forwards (#8) which is new to the list.
The latter is relatively unknown and can cause significant damage.

The two that were dropped are:
  • Malicious file execution (was #3) which is less prevalent today; and
  • Information leakage and improper error handling (was #6) which while still common has less impact.
The proposed list is open to comment through December, and we can expect it to be finalized in January 2010. The timing is particularly opportune as the revision to the Top 10 comes in time to be reflected in the upcoming PCI DSS release this fall.